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DETAILED ACTION 

1 . Claims 1-6 remain for examination. Tine correspondence filed 5/14/08 amended 
claims 1 & 2, and added claims 4-6. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1-6 have been considered but are 
moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

3. Claims 1-6 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
"Intrusion Detection Using Static Analysis" (hereinafter, "Wagner") in view of "Static 
Analysis" (hereinafter, "Webb") and further in view of "Splint Manual" (hereinafter, 
"Splint"). 

Regarding claim 1: 

Wagner discloses a method for detecting malicious scripts using a static 
analysis, comprising the step of: checking whether a series of methods constructing a 
malicious code pattern exist (page 158, 1^' paragraph); wherein the checking step 
comprises the steps of: classifying, by modeling a malicious behavior in such a manner 
that it includes a combination of unit behaviors each of which is composed of sub-unit 
behaviors or one or more method calls, each unit behavior and method call sentence 
into a matching rule for defining sentence types to be detected in script codes and a 
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relation rule for defining a relation between patterns matched so that the malicious 
behavior can be searched by rule variables used in the sentences satisfying the 
matching rule (section 4.3, "The abstract stack model", and particularly pages 160-161, 
"The context-free model"); generating instances of the matching rule by searching for 
code patterns matched with the matching rule from a relevant script code to be detected 
[i.e., actually implementing the classification step above] (Ibid, and also page 164, "6. 
Evaluation", 1®' paragraph); and generating instances of the relation rule by searching 
for instances satisfying the relation rule from a set of the generated instances of the 
matching rule (Ibid). 

Wagner does not disclose extracting parameters of functions used in the 
searched code patterns, and storing the extracted parameters in the rule variables, 
preferring instead to implement a simpler model. Nevertheless, Webb teaches that the 
ability to statically analyze "local variables, data structures, and all other data flow" in a 
script so as to determine if the script is non-hazardous has been long since known in 
the art, and has even been realized in pre-existing products (the MALPAS system, see 
page 4/2, and in particular the "Control Flow Analyzer", "Data Use Analyzer", and 
"Information Flow Analyzer" sections). It would have been quite obvious to one of 
ordinary skill in the art at the time the invention was made to incorporate at least these 
elements of Webb's MALPAS system into the static analyzer disclosed by Wagner. 
One might be inclined to do so because it would negate the need to make simplistic 
assumptions regarding the behavior of the scripts to be tested (see Wagner, page 158, 
"4. Models", 2"^^ paragraph, noting that the conditions assumed to be true can actually 
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be tested by Webb's "Data Use Analyzer"), and that a suitably modified analyzer would 
be useful to verify the correctness of many diverse and/or high integrity applications 
(Webb, page 4/3, "5. Static Analysis Experience and Applicability"). 

Neither Wagner nor Webb describe in sufficient detail whether their analyses 
checking whether parameters and return values associated between methods match 
each other. However, Splint discloses another related static analysis tool wherein that 
tool is capable of examining all the parameters and return values of functions [i.e. 
methods] and compare them to establish that no mismatch exists (pages 19-24, "4. 
Types"; see also pages 38-40, "7.3 Declaration Consistency" and "7.4 State Clauses"). 
Splint also discloses wherein said matching rule comprises rule identifiers and sentence 
patterns to be detected (Appendix C). It would have been obvious to include this feature 
into the static analysis tools disclosed by Wagner and/or Webb, as the technique(s) 
were clearly well within the abilities of one of ordinary skill in the art at the time of the 
invention, in view of the teaching of the technique(s) in a related static analyzer tool. 
Regarding claim 2: 

Wagner further discloses wherein the matching rule is composed of rule 
identifiers and sentence patterns constructing malicious behavior and having the same 
grammar as a language of the scripts to be detected (Figure 2) 
Regarding claim 3: 

Wagner and Splint further discloses wherein the relation rule further includes 
preconditions in which conditions should be satisfied prior to the conditions in the 
conditional expressions are described, and the action expressions describe contents 
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that will be executed when both the conditional expressions and the preconditions are 
satisfied (Wagner: page 162, "Principle 1" and subsequent paragraphs, and Figure 2; 
Splint: sections 7.3 "Declaration Consistency" and 7.5 "Requires and Ensures 
Clauses"). 
Regarding claim 4: 

Wagner further discloses converting the script into a format suitable for static 
analysis (Figure 2). 
Regarding claim 5: 

Splint further discloses the step of reporting identified instances of the matching 
rule and relation rule in a result report process (see the "Running Splint" column of 
Figures 1-24; and page 11, "1.1 Warnings"). 
Regarding claim 6: 

Wagner and Splint disclose wherein the relation rule comprises conditional 
expressions in which conditions satisfying the relevant rule are described, and action 
expressions in which contents to be executed are described when the conditions in the 
conditional expressions are satisfied (Wagner: Figure 2; Splint: page 41, "7.5 Requires 
and Ensures Clauses"). 

Conclusion 

4. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: 
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• "Improving Secuirty Using Extensible Lightweight Static Analysis" by David 
Evans and David Larochelle, Feb 2002. 

• "Static Analysis using PMD" by Tom Copeland (in particular, see pages 3-5 
teaching the particular limitations of claims 2 and 4) 

• "Static Analysis-Based Program Evolution Support in the Common Lisp 
Framework" by K. Narayanaswamy 

5. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Thomas Gyorfi whose telephone number is (571)272- 
3849. The examiner can normally be reached on 8:30am - 5:00pm Monday - Friday. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

TAG 
8/26/08 
/KimYen Vu/ 

Supervisory Patent Examiner, Art Unit 2135 



